Flowers, blossoming trees and a new plaso release.
Version 1.0.1alpha Release
Summer is finally here and what typically follows the blossoming trees are new tool releases or at least upgrades to already existing ones.
It's been ... well let’s say considerable time since our last release and quite frankly we are long overdue. During these last months we have made some substantial changes to the codebase. The first release was a very clear alpha release, it had some issues with it and lots of rough edges. And we quickly discovered that the core backend had some limitations that would soon prevent us from expanding the tool. We wanted to fix those issues as soon as possible despite them requiring refactoring relatively large part of the core codebase. This is one of the reasons it's been such a long time between releases.
With that work somewhat behind us we are pleased to announce the release of plaso/log2timeline version 1.0.1alpha. Despite still bearing the name alpha it is a lot more stable and usable version than it's predecessor, with lots of new shiny features and much needed bug fixes. Just a quick reminder that the alpha here largely refers to the fact that the code base is still largely in flux and additional planned functionality is likely to change things significantly.
I would highly encourage people to start using this tool alongside it's more stable cousin the 0.X version of log2timeline. There are lot of features already implemented that are not currently possible with the older version of log2timeline and many more to come soon.Highlights
Some of the highlights of the new version are:
New shiny parsers:- Windows Event Logs (EVT and EVTX).
- Internet Explorer 4 - 9 history (or cache) files (index.dat).
- Symantec AV log.
- SELinux audit log.
- Google Drive SQLite parser.
- Several new registry plugins.
New features:- Improved filtering.
- New assistant for easy development of text parsers.
- The front-end log2timeline now displays information about supported plugins.
- New front-end tool called pprof that is mostly useful for performance profiling and debugging.
Backend Changes: (mostly something nobody but a developer really cares about)- Complete reformat of how events are stored and processed.
- Removed all processing of protobufs in code, protobufs are now only used for serialization.
- Events no longer store information about message strings, defined separately in a formatter.
Other Changes:- Parameters to front-end log2timeline have been slightly changed. See the usage site for additional information.
Where To Get It?
The tool has been compiled into an executable for:- Mac OS X Mountain Lion (aka 10.8).
- Ubuntu Linux Precise (12.04.1 LTS) both 32 and 64 bit.
- Windows, 32 and 64 bit versions.
The new binaries can be downloaded from here: https://code.google.com/p/plaso/downloads/list
And the source code at the point of release can be examined from here: http://plaso.googlecode.com/git-history/c6e2061b70c183d63f950393e71c24ade47ee6de/What to Expect?
There should be few follow up blog posts that discuss the tool and some of the changes in it. For instance the way the storage file has changed and what that means for filtering. The filter page should also be up-to-date with the latest changes there.
For those that want to follow along there is always the roadmap that displays what upcoming changes you may expect to see in the near future. There are also mailing lists (discuss and dev) and G+ community for the tool, and of course there is always plenty of room for additional developers if you want to see those shiny new features implemented sooner.Caveat
There is one important caveat that has to be mentioned. Since there have been substantial changes to the way events are stored and handled in the tool the storage file produced by this release is not compatible with the previous released one. There is no way to read the older storage format using the new version.
If you still have some storage files produced from the earlier release you either need to run psort from the previous release on that data set to get a l2t_csv file or complain to us. If there are people that really need to be able to read the data produced from the first release we can write a script that reads that storage file and transforms it into the new storage format.
You may expect similar behavior during the next release of the tool too, after that the storage should be stable enough to not change between releases. However a bridge script/tool will most likely be provided during next release if the storage mechanism changes enough so it will not be fully compatible.
Version 1.0.1alpha Release
Summer is finally here and what typically follows the blossoming trees are new tool releases or at least upgrades to already existing ones.
It's been ... well let’s say considerable time since our last release and quite frankly we are long overdue. During these last months we have made some substantial changes to the codebase. The first release was a very clear alpha release, it had some issues with it and lots of rough edges. And we quickly discovered that the core backend had some limitations that would soon prevent us from expanding the tool. We wanted to fix those issues as soon as possible despite them requiring refactoring relatively large part of the core codebase. This is one of the reasons it's been such a long time between releases.
With that work somewhat behind us we are pleased to announce the release of plaso/log2timeline version 1.0.1alpha. Despite still bearing the name alpha it is a lot more stable and usable version than it's predecessor, with lots of new shiny features and much needed bug fixes. Just a quick reminder that the alpha here largely refers to the fact that the code base is still largely in flux and additional planned functionality is likely to change things significantly.
I would highly encourage people to start using this tool alongside it's more stable cousin the 0.X version of log2timeline. There are lot of features already implemented that are not currently possible with the older version of log2timeline and many more to come soon.
Highlights
Some of the highlights of the new version are:
New shiny parsers:
- Windows Event Logs (EVT and EVTX).
- Internet Explorer 4 - 9 history (or cache) files (index.dat).
- Symantec AV log.
- SELinux audit log.
- Google Drive SQLite parser.
- Several new registry plugins.
New features:
- Improved filtering.
- New assistant for easy development of text parsers.
- The front-end log2timeline now displays information about supported plugins.
- New front-end tool called pprof that is mostly useful for performance profiling and debugging.
Backend Changes: (mostly something nobody but a developer really cares about)
- Complete reformat of how events are stored and processed.
- Removed all processing of protobufs in code, protobufs are now only used for serialization.
- Events no longer store information about message strings, defined separately in a formatter.
Other Changes:
- Parameters to front-end log2timeline have been slightly changed. See the usage site for additional information.
Where To Get It?
The tool has been compiled into an executable for:
- Mac OS X Mountain Lion (aka 10.8).
- Ubuntu Linux Precise (12.04.1 LTS) both 32 and 64 bit.
- Windows, 32 and 64 bit versions.
The new binaries can be downloaded from here: https://code.google.com/p/plaso/downloads/list
And the source code at the point of release can be examined from here: http://plaso.googlecode.com/git-history/c6e2061b70c183d63f950393e71c24ade47ee6de/
What to Expect?
There should be few follow up blog posts that discuss the tool and some of the changes in it. For instance the way the storage file has changed and what that means for filtering. The filter page should also be up-to-date with the latest changes there.
For those that want to follow along there is always the roadmap that displays what upcoming changes you may expect to see in the near future. There are also mailing lists (discuss and dev) and G+ community for the tool, and of course there is always plenty of room for additional developers if you want to see those shiny new features implemented sooner.
Caveat
There is one important caveat that has to be mentioned. Since there have been substantial changes to the way events are stored and handled in the tool the storage file produced by this release is not compatible with the previous released one. There is no way to read the older storage format using the new version.
If you still have some storage files produced from the earlier release you either need to run psort from the previous release on that data set to get a l2t_csv file or complain to us. If there are people that really need to be able to read the data produced from the first release we can write a script that reads that storage file and transforms it into the new storage format.
You may expect similar behavior during the next release of the tool too, after that the storage should be stable enough to not change between releases. However a bridge script/tool will most likely be provided during next release if the storage mechanism changes enough so it will not be fully compatible.
Comments
Post a Comment